May 19, 2016
An Iranian “hacktivist” group has come forward to publicly take credit for the 2013 hack of a dam in the suburbs of New York City. The implications of the hack are wide-ranging, something that Senator Charles Schumer noted when he spoke about the incident:
“There are larger dams, there are public utilities, there are nuclear power plants…This cyber attack surely serves as a bucket of ice water to the face.”
But there is reason to believe that this was not a very sophisticated cyber attack and, instead, was made possible by weak password security. Thousands of public utilities and volumes of classified government information may be protected by passwords as simple as “admin” or “password123”.
That is a very good example of why a tech company based in San Francisco is offering an unusual solution to this problem: get rid of passwords altogether. WiActs, which works with large financial institutions and local governments, published a list of cyber hacks that their software could have prevented.
Major security breaches, from Ashley Madison to the IRS and LastPass, were all the result of weak identity management (passwords). Yaser Masoudnia, CEO of WiActs, commented this topic:
“It does not matter how complex your password is, it can never be 100 percent secure. People write passwords down, send them in emails to other people, forget them, and can have them stolen in keylogger hacks.”
Passwords have been used for decades to secure every kind of account and every kind of device. But the hundreds of millions of dollars in damage that password-based breaches cause every year are driving companies like WiActs into the mainstream market.
Their solution seems unorthodox, but here is how the technology works:
- A user goes to WiAct’s portal and, upon entering their username, the website will prompt them to open an app on their phone and verify their identity.
- The app reads the user’s biometric data (fingerprint) and sends an encrypted message to the login portal that the real user is logging in.
- The portal opens to reveal all of the user’s connected accounts – Outlook, Facebook, Office 365, Quickbooks, and so son.
- The user just needs to click on the service they want to access and they are logged in, without using a password.
While this process is a far cry from what consumers are used to, Masoudnia argues that people will adapt quickly:
“It only takes 5 to 10 seconds from start to finish, and then you have access to all of your accounts, no need to login to each one individually. Furthermore, the small hassle of using your phone is certainly overshadowed by forgetting your password or having your account breached by hackers.”
Of course WiActs is not alone, as other companies have begun to test similar ideas. Notably, Google is rumored to be launching a password-less identification management system, something that consumers are certainly going to benefit from, as the race to provide the first widely adopted password-less solution will cause it to be as effective and reliable as possible.
Did you like this article?
Get more delivered to your inbox just like it!